IMPORTANT NOTE:There will be no more support for Windows XP Service Pack 1, after this month no patches will be released in support of that version.

Additional note: The reason for distinguishing between private and public disclosure is that potentially the "bad guys" have had more time to work on the vulnerabilities when the disclosure was public. In theory, and I realize that this is potential, private disclosure means the clock starts now for the "bad guys" to develop exploits. It has some impact on the severity of the problem in my opinion.

We will update issues on this page as they evolve.We appreciate updatesUS based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): If you are running an IPv6 network, this probably is more important to you.

Description: This is a remote code execution for Internet Explorer, that is caused by improper validation of the WebViewFolderIcon ActiveX object.

Why do you have "Mitigated" in Yellow up above?

By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

Workarounds

To set the kill bits for CLSIDs with values of {e5df9d10-3b52-11d1-83e8-00a0c90dc849} and {844F4806-E8A8-11d2-9652-00C04FC30871}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Thanks to one of our readers that wrote in to tell us that IE7, will be released this month via Automatic Update according to Microsoft's "IEBlog". Take a risk assessment of your organization to decide if you should globally deploy the browser, taking into account the pros and the cons of the software.

If you can take this moment to try and move your organization to a different browsing platform for normal daily browsing, that may be something you want to look into. We've said it before, and we'll say it again, diversity is good.

Reader Dan writes in to tell us:"You may also want to note that Firefox even has a plug-in available to open certain links in IE. This makes it even easier to follow your advice of only using IE when you absolutely must." -- https://addons.mozilla.org/firefox/35/

Reader "Vision Jinx" writes in to tell us:"I notice that IE View just opens the page in IE as a POP up type feature. IE Tabs (https://addons.mozilla.org/firefox/1419/) actually will load a FF Tab that uses IE therefore no need for all them extra Windows, as it just uses a tab in Firefox."

Windows Update is currently experiencing delays and not serving up all those happy patches. The MSRC is reporting some delays with getting the patches up. If you need them immediately you can download directly from the bulletins. ISC Reader Jim McCormick found that by clearing out C:\WINDOWS\SoftwareDistribution\DataStore and C:\WINDOWS\SoftwareDistribution\Download he was able to take care of business. Choice is yours. You could also always wait. :)

Alan Mercer sent in a reminder that Microsoft is discontinuing support for SUS on Dec. 6th, 2006. Because this is before the December patch cycle, it seems that November will be the last patch cycle that SUS will be supported. With the holidays coming up, it's time to think about upgrading to WSUS.

There are four advisories for Microsoft Office this month. All of them appear to be standard client-side vulnerabilities. So the exploitation model is someone evil sends a document (of the affected type) with an exploit buried inside and if the exploit works, the attacker gets the privileges of the user opening the document. These types of bugs have been very popular lately.

MS06-058: Four vulnerabilities in PowerPoint. One of these vulnerabilities have been exploited in the wild (PowerPoint Malformed Record).

MS06-059: Four vulnerabilities in Excel. Two of these have had proof of concept exploit code posted publicly already; the other two vulnerabilities were privately reported to Microsoft.

MS06-060: Four vulnerabilities in Word. Two of these have been publicly disclosed already; the other two vulnerabilities were privately reported to Microsoft.

MS06-062: Three vulnerabilities in Office and Publisher that were reported privately. Exploit code and details have not been released yet.

There are two vulnerabilities in this advisory. The first is a simple Denial of Service against all Windows platforms. The attack vector is TCP ports 139 or 445. Apparently, there is an unitialized buffer that could be modified remotely to crash the box. Exploit code has been available for this bug since July 19, 2006. Famed handler Swa covered it in a diary entry last month: http://isc.sans.org/diary.php?storyid=1599

There probably isn't any need to freak out on this particular vulnerability. The exploit has been out in the wild for several months. If you are seeing some mysterious reboots on Windows machines and untrusted people can hit TCP 139 or 445 on those hosts, then this could potentially solve your problems (although Microsoft is claiming that it hasn't been used in the wild yet). Otherwise, there are no code execution possibilities with this vulnerability, so you don't need to be in "emergency mode" to patch it.

The second vulnerability (SMB Rename) is a remote code execution bug against the Server service, but it requires authentication. So this isn't readily wormable (except maybe in a corporate environment if a user with admin privileges was owned). This one is a little higher priority than the DoS above.

There exists a remote code execution vulnerability in Windows Object Packager (MS06-065) due to the way the application handles file extensions. A specially crafted file could be created that would execute code if a user was sent to a malicious website. However, there is quite a bit of user interaction required for this exploit to actually work. Enhanced Security Configuration for Windows 2003 will effectively mitigate this problem.

The CVE for this exploit is CVE-2006-4692 and will not likely see much action in the wild.

This vulnerability sounds like a classic parser buffer overflow. The advisory actually includes information regarding two distinct vulnerabilities. But only one of them allows arbitrary code execution.

As with similar vulnerablities, the user has to expose the browser to malicious XML code. This could happen by visiting a compromissed site. Once the browser is exposed to the exploit, it will inherit all the privileges of the user running the browser.

Mitigation steps: SandboxIE, do not run as administrator and similar steps will help limit the impact of the vulnerability. This vulnerability is first of all a client issue, less a server issue. You could also try the "Internet Explorer Enhanced Security Configuration". However, I find it a bit too strict most of the time (e.g. no Javascript).

A XSS vulnerabiity in ASP.NET could allow information disclosure. The bulletin is a bit vague on the details, but it does mention a problem with headers. Typically, cookie information could be disclosed using XSS attacks. In turn, the cookie information can be used to impersonate an authenticated user.

The script inserted with XSS will inherit all the capabilities the particular user has. For example, a user could be tricked into clicking a link that will escalate privileges for a malicious user. Exploitation typially requires intimate knowledge of the respective web based application.

XSS exploits are typically not browser specific. Any browser is "vulnerable" given that the actual problem is the web based application. Turning off javascript may help, but then again, you will hit this issue typically as you visit a trusted web site (for example you own web site written in ASP.NET).

You will probably consider this problem more severe ("critical") if you use ASP.NET extensively to manage internal applications. However, on the same note first test the page using your specific web based applications.

Other mitigation steps: Disable ASP.NET if not used on your web server.

This patch is not important for workstations and only applies to servers running web sites with ASP.NET support turned on.